Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 22:38
Static task
static1
Behavioral task
behavioral1
Sample
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
-
Size
658KB
-
MD5
5bd91a97aa2e10adc9c00c400b50158f
-
SHA1
16c2d0132914fe69e2d3bee62bd868f256a1db3a
-
SHA256
d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6
-
SHA512
26c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304
-
SSDEEP
6144:qIO3wz0Co3sLuwhOAJBGiDZdDn6h60rk8/W7Tr7s5A0fgYXkSByW7huU0:XHpZdOU0rk8qhGgYXh70
Malware Config
Extracted
azorult
http://vitani.tk/disk/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe -
Drops startup file 3 IoCs
Processes:
cmd.exeoffice.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.lnk office.exe -
Executes dropped EXE 1 IoCs
Processes:
office.exepid process 1172 office.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/464-4-0x0000000004F60000-0x0000000004F80000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
office.exedescription pid process target process PID 1172 set thread context of 4232 1172 office.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exeoffice.exedescription pid process Token: SeDebugPrivilege 464 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe Token: SeDebugPrivilege 1172 office.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exeexplorer.exeoffice.exedescription pid process target process PID 464 wrote to memory of 1208 464 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe cmd.exe PID 464 wrote to memory of 1208 464 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe cmd.exe PID 464 wrote to memory of 1208 464 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe cmd.exe PID 464 wrote to memory of 5116 464 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe explorer.exe PID 464 wrote to memory of 5116 464 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe explorer.exe PID 464 wrote to memory of 5116 464 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe explorer.exe PID 3836 wrote to memory of 1172 3836 explorer.exe office.exe PID 3836 wrote to memory of 1172 3836 explorer.exe office.exe PID 3836 wrote to memory of 1172 3836 explorer.exe office.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe PID 1172 wrote to memory of 4232 1172 office.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exeFilesize
658KB
MD55bd91a97aa2e10adc9c00c400b50158f
SHA116c2d0132914fe69e2d3bee62bd868f256a1db3a
SHA256d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6
SHA51226c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304
-
memory/464-4-0x0000000004F60000-0x0000000004F80000-memory.dmpFilesize
128KB
-
memory/464-3-0x0000000004F80000-0x0000000005012000-memory.dmpFilesize
584KB
-
memory/464-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmpFilesize
4KB
-
memory/464-2-0x0000000005490000-0x0000000005A34000-memory.dmpFilesize
5.6MB
-
memory/464-5-0x0000000074C40000-0x00000000753F0000-memory.dmpFilesize
7.7MB
-
memory/464-6-0x0000000074C4E000-0x0000000074C4F000-memory.dmpFilesize
4KB
-
memory/464-10-0x0000000074C40000-0x00000000753F0000-memory.dmpFilesize
7.7MB
-
memory/464-1-0x0000000000520000-0x00000000005CA000-memory.dmpFilesize
680KB
-
memory/1172-16-0x00000000066D0000-0x000000000676C000-memory.dmpFilesize
624KB
-
memory/1172-14-0x00000000054D0000-0x00000000054EE000-memory.dmpFilesize
120KB
-
memory/1172-13-0x0000000005410000-0x0000000005486000-memory.dmpFilesize
472KB
-
memory/4232-21-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4232-17-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4232-19-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4232-29-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4232-27-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4232-25-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4232-23-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB